CVE-2023-5847 Overview
CVE-2023-5847 is a local privilege escalation vulnerability affecting Tenable Nessus and Tenable Nessus Agent on both Windows and Linux platforms. Under certain conditions, a low-privileged attacker could load a specially crafted file during installation or upgrade processes to escalate privileges on the host system.
Critical Impact
This vulnerability allows attackers with local access to elevate their privileges during Nessus installation or upgrade operations, potentially gaining full system control on both Windows and Linux hosts.
Affected Products
- Tenable Nessus (vulnerable versions prior to patch)
- Tenable Nessus Agent (vulnerable versions prior to patch)
- Linux and Windows operating systems running affected Nessus versions
Discovery Timeline
- 2023-11-01 - CVE-2023-5847 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-5847
Vulnerability Analysis
This privilege escalation vulnerability exists within the Tenable Nessus and Nessus Agent installation and upgrade workflows. The flaw allows a low-privileged user to exploit improper privilege management during these operations by introducing a specially crafted file that gets loaded with elevated privileges.
The vulnerability is classified under CWE-269 (Improper Privilege Management), indicating a fundamental issue in how the application handles privilege separation during installation and upgrade processes. The attack requires local access to the target system and some user interaction, such as triggering an installation or upgrade operation.
Root Cause
The root cause of CVE-2023-5847 lies in improper privilege management within the Nessus installation and upgrade routines. During these operations, the installer or updater process operates with elevated privileges and fails to properly validate or restrict the files it loads. This allows an attacker to plant a malicious file in a location where the privileged process will load it, inheriting those elevated privileges.
Attack Vector
The attack vector is local, requiring the attacker to have some level of access to the target system. The exploitation scenario involves:
- An attacker with low-privilege access to a system running Tenable Nessus or Nessus Agent
- Crafting a malicious file designed to be loaded by the installer/updater
- Placing this file in a location accessible to the installation or upgrade process
- Waiting for or triggering an installation or upgrade operation
- The malicious file is loaded with elevated privileges, allowing code execution as a privileged user
The vulnerability requires user interaction (such as an administrator initiating an upgrade), which limits the attack window but still presents significant risk in environments where Nessus updates are performed regularly.
Detection Methods for CVE-2023-5847
Indicators of Compromise
- Unexpected files placed in Nessus installation directories or temporary upgrade paths
- Suspicious process execution spawned from nessusd or Nessus installer processes
- Anomalous privilege elevation events coinciding with Nessus installation or upgrade activities
- Unusual file modifications in directories associated with Nessus components
Detection Strategies
- Monitor file system activity in Nessus installation directories for unauthorized file creation or modification
- Implement endpoint detection rules to alert on privilege escalation attempts during software installation workflows
- Enable process monitoring to detect child processes spawned with elevated privileges from Nessus-related binaries
- Use SentinelOne's behavioral AI to identify anomalous execution patterns during installation or upgrade operations
Monitoring Recommendations
- Audit and log all Nessus installation and upgrade activities across the environment
- Configure SIEM rules to correlate file creation events with subsequent privilege escalation indicators
- Deploy file integrity monitoring on Nessus installation directories and related temporary paths
- Review installation logs for any errors or warnings that might indicate exploitation attempts
How to Mitigate CVE-2023-5847
Immediate Actions Required
- Update Tenable Nessus and Nessus Agent to the latest patched versions immediately
- Restrict local user access on systems running Nessus to trusted administrators only
- Temporarily suspend automated upgrade processes until patches are applied
- Audit systems for signs of compromise before and after patching
Patch Information
Tenable has released security patches addressing this vulnerability. Organizations should review the official security advisories and apply the recommended updates:
- Tenable Security Advisory TNS-2023-37 - Addresses the vulnerability in Tenable Nessus
- Tenable Security Advisory TNS-2023-38 - Addresses the vulnerability in Tenable Nessus Agent
Administrators should download and apply the latest versions from Tenable's official download portal following the guidance in these advisories.
Workarounds
- Limit local access to systems running Nessus to only trusted administrative users
- Implement strict file system permissions on Nessus installation directories and related paths
- Monitor and restrict write access to directories used during installation and upgrade processes
- Consider scheduling upgrades during maintenance windows with heightened monitoring in place
# Example: Restrict permissions on Nessus directories (Linux)
# Adjust paths based on your installation
chmod 750 /opt/nessus
chown -R root:root /opt/nessus
# Review and restrict temporary directories used during upgrades
chmod 700 /tmp/nessus_upgrade
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
